|
Posted by Chris Shiflett on 04/11/05 19:32
Chris Boget wrote:
> > This idea of storing passwords in cookies is absurd.
>
>
> Is the above sentiment true even if you store the password as some sort
> of hash (md5 or otherwise)?
Yes, because passwords offer long-term access. If you accept a hash of
the password for access, then that hash becomes as sensitive as the
password. For example, this is why using client-side scripting to send
the hash of a password in a login form offers no protection.
Most people who inquire about storing access credentials (username and
password, password, hash of the password, etc.) in a cookie want to
provide a persistent login. This is a form of access control that is
temporarily removed by the presence of this cookie, which is difficult
enough to protect without adding in unnecessary risks. Even a temporary
token used in exactly the same manner offers less risk than anything
based upon the password.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
[Back to original message]
|